We’re trying to enable Vault audit using the Pulumi Vault package with Kubernetes. But getting this error:
Diagnostics:
pulumi:pulumi:Stack (workspace-local-local-vault-audit):
error: update failed
vault:index:Audit (vault-audit):
error: 1 error occurred:
* error enabling audit backend: Error making API request.
URL: PUT https://localhost:8443/v1/sys/audit/file
Code: 400. Errors:
* file sink creation failed for path "/Users/.../vault-audit.log": event.NewFileSink: sanity check failed; unable to open "/Users/.../vault-audit.log" for writing: event.(FileSink).open: unable to create file "/Users/.../vault-audit.log": mkdir /Users: permission denied
Here’s the function we wrote:
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
...
)
// Vault provider args
// vault.ProviderArgs{
// Address: pulumi.String("https://localhost:8443"),
// SkipTlsVerify: pulumi.Bool(true),
//
// Root token so probably has permissions for everything
// Token: pulumi.String("hvs..."),
// }
func (v Vault) EnableAudit(environment string) pulumi.RunFunc {
program := func(ctx *pulumi.Context) error {
cwd, _ := os.Getwd()
logPath := path.Join(cwd, "vault-audit.log")
_ := os.WriteFile(logPath, []byte(""), 0777)
provider, _ := mount.NewProvider(pulumiContext, "vaultprovider", &v.Vaultprovider)
_, err = mount.NewAudit(ctx, "vault-audit", &mount.AuditArgs{
Options: pulumi.StringMap{
"file_path": pulumi.String(logPath),
},
Type: pulumi.String("file"),
Local: pulumi.Bool(true),
}, pulumi.Provider(provider))
if err != nil {
return err
}
return nil
}
return program
}
The vault-audit.log file is successfully created. The permissions seem permissive enough.
Additionally, we’re doing this on Rancher Desktop with Traefik turned off in favour of Nginx for port-forwarding (8080:80 8443:443
) to access Vault, following these docs. Using the default containerd. We don’t think this is an issue though.
If we try doing it directly in the k8s pod without Pulumi:
kubectl exec -it vault-0 -n vault -- /bin/sh -c "VAULT_TOKEN=hvs... vault audit enable file file_path=/var/log/vault-audit.log"
We get a very similar error:
Error enabling audit device: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:
* file sink creation failed for path "./vault-audit.log": event.NewFileSink: sanity check failed; unable to open "./vault-audit.log" for writing: event.(FileSink).open: unable to open file for sink: open ./vault-audit.log: permission denied
What are we missing? The docs make it seem straightforward with no prerequisites from the Vault docs but do we need to create a policy or something first?
2
Answers
Ron's solution pointed me in the right direction. I should mention my code above is based in part on a misunderstanding of the Vault Pulumi package. The
NewAudit
file_path
property is a path in the K8s pod. So usingcwd, _ := os.Getwd()
as I did above won't work since it gets a path on my local machine.In the end I enabled Vault
auditStorage
when installing from the helm chart with Pulumi:Then created the Vault audit resource in another stack:
Now, I can do
kubectl exec --stdin --tty -n vault vault-0 -- /bin/sh
and thencat /vault/audit/vault-audit.log
to see the audit logs. It'svault-0
because it's HA.Probably a better idea to create the PVC claim in the same stack as where I create the audit resource rather than in the helm chart but I'll go with this for now.
See below sample function you may try:
This assumes that you have a Kubernetes cluster running and properly configured with Pulumi. Also, Vault is appropriately set up to run with the cluster.
You should change the Vault server configuration, the Docker image version, and storage size according to the requirements. Ensure that the Vault configuration
(VAULT_LOCAL_CONFIG)
matches your use case.